.\"
.\" Copyright (c) 2009 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" WARNING: THIS IS EXPERIMENTAL SECURITY SOFTWARE THAT MUST NOT BE RELIED
.\" ON IN PRODUCTION SYSTEMS.  IT WILL BREAK YOUR SOFTWARE IN NEW AND
.\" UNEXPECTED WAYS.
.\"
.\" This software was developed at the University of Cambridge Computer
.\" Laboratory with support from a grant from Google, Inc.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd June 11, 2009
.Os
.Dt LIBCAPABILITY 3
.Sh NAME
.Nm libcapability
.Nd "library interface to capability-mode services"
.Sh LIBRARY
.Lb libcapability
.Sh SYNOPSIS
.In sys/types.h
.In sys/capability.h
.In libcapability.h
.Ft int
.Fn lc_limitfd "int fd" "cap_rights_t rights"
.Sh DESCRIPTION
.Nm
implements APIs that allow applications to create, manage, and interact with
sandboxed software services running in capability mode, described in
.Xr cap_enter 2 .
Applications linked against
.Nm
will use one or both of "host" and "sandbox" APIs, depending on whether they
consume or produce sandboxed services.
.Nm
will start sandboxed components using a sandbox-specific run-time linker,
.Xr rtld-elf-cap 1 ,
rather than the standard
.Xr rtld-elf 1 .
.Pp
Host processes use the
.Nm
host API,
described in
.Xr libcapability_host 3 ,
to launch compartmentalized components in sandboxes.
They may also use
.Nm
to communication with the sandboxed service based on socket I/O or remote
procedure call (RPC).
.Pp
Sandbox processes run in capability mode, and are only able to use resources
either assigned to the sandbox during creation, or later explicitly passed to
the process.
Sandbox processes use the
.Nm
sandbox API,
described in
.Xr libcapability_sandbox 3 .
Sandboxed processes themselves may launch software components in further
sandboxes, so a single program may use both host and sandbox APIs.
.Sh CAPABILITY API
.Fn lc_limitfd
is a wrapper around
.Xr cap_new 2 ,
.Xr dup2 2 ,
and
.Xr close 2 .
which takes an existing file descriptor and replaces it with a capability
with the requested rights mask.
.Sh SEE ALSO
.Xr rpcgen 1 ,
.Xr rtld-elf 1 ,
.Xr rtld-elf-cap 1 ,
.Xr cap_enter 2 ,
.Xr cap_new 2 ,
.Xr close 2 ,
.Xr dup2 2 ,
.Xr libcapability_host 3 ,
.Xr libcapability_sandbox 3 ,
.Xr unix 4
.Sh HISTORY
Support for capabilities and capabilities mode was developed as part of the
.Tn TrustedBSD
Project.
.Sh BUGS
WARNING: THIS IS EXPERIMENTAL SECURITY SOFTWARE THAT MUST NOT BE RELIED ON IN
PRODUCTION SYSTEMS.  IT WILL BREAK YOUR SOFTWARE IN NEW AND UNEXPECTED WAYS.
.Sh AUTHORS
These functions and the capability facility were created by
.An "Robert N. M. Watson"
at the University of Cambridge Computer Laboratory with support from a grant
from Google, Inc.
